It is important to note that although the UK has officially left the EU, at present personal data can still be freely transferred between the UK and the EU until the end of the transition period (31 December 2020). After this, the ‘UK GDPR’ will apply which is almost identical to the current EU GDPR. The UK Government has confirmed that after the transition period, businesses can still send personal data from the UK to the EU without additional formalities, but this will be kept under review. However, if the UK exits the EU without a deal, European businesses will need to put safeguards in place for transferring data into the UK as it will be treated as a ‘third country’ for data transfer purposes.
One of the safeguards that can be relied upon for transferring data outside of the EEA into the UK is an adequacy decision. An adequacy decision is where the EU has assessed a country’s data protection laws and deemed them at least equivalent to the EU’s. The European Commission will not take an adequacy decision on the UK until it becomes a third county and have not indicated a time frame for doing so. In other cases, adequacy assessment and negotiations have taken many moths; therefore, UK businesses will need other mechanisms in place with their European data exporters to ensure that data can continue to flow freely and lawfully in the event of a no-deal Brexit.
WHAT CAN UK BUSINESSES DO TO ENSURE THEY CAN STILL RECEIVE DATA FROM EUROPE FOLLOWING A NO-DEAL BREXIT?
UK businesses that are part of a multi-national group may consider (or already have in place) binding corporate rules (BCR’s); these are internal rules for the transfer of data among separate entities within a corporate group. If BCR’s are not applicable, UK businesses may consider incorporating standard contractual clauses (SCC’s) into their contracts with European organisations. The UK’s data protection authority, the ICO, has put together contract builder (Controller to Controller or Controller to Processor) to assist UK business to implement SCC’s. It may also be possible to rely on other safeguards in accordance with Article 46 of the GDPR. For further information, refer to the ICO’s 5 steps to take.
In certain scenarios (such as if you offer goods or services to individuals in the EEA or monitor the behaviour of individuals in the EEA but you do not have any EEA offices, branches or establishments) you may need to appoint a representative from the end of the transition period. Further details can be found on the ICO European representatives page. If your business relies on exchanging personal data with European organisations then you should take action now to protect your position with your European clients and suppliers.